DNS Spoofing with Nethunter, cSploit & Kali Linux

How cool would it be as a pentester to walk around a target company, with only your smartphone, and divert individual systems surfing the web to an outside Kali Linux system you have setup that is just waiting for incoming connections. With Kali Nethunter you could!

Using Kali Nethunter & cSploit on your Android phone, you can fairly easily perform a Man-in-the-Middle attack on target systems. Of course you can do all the normal MitM type attacks but what is nice is that you can also do DNS spoofing. This would allow you to divert a system surfing the web (without ever physically touching the target) to a different website.

Well, what if that different website was a Kali Linux system running Social Engineering attacks?

Introduction

If you haven’t played with Nethunter yet, it is one of the coolest things since sliced bread. Nethunter is an adaptation of the most excellent Kali Linux penetration testing platform re-invented for use on smartphones.

As always, it is illegal to attempt to access or modify a system that you do not have express written permission to do so. Doing so could get you into serious legal trouble and you could end up in jail.

Though DNS spoofing attacks are not new, it is just so easy to do them with Nethunter. And as this could be easily misused, I will not show all the steps in this process, only show how the attack could be set up.

Also, I will not show how Nethunter is installed. If you install Nethunter on your phone, you do so at your own risk. Installing Nethunter involves wiping your phone, installing new and custom firmware and rooting it. As with modifying any smartphone, there is a possibility that the phone could be bricked in the process, turning your favorite phone into an expensive drink coaster.

Three systems will be used in this article – The smartphone running Nethunter, a test target system running Windows 7 and a third computer running Kali Linux.

All right, enough talk, let’s get to it!

Using Nethunter

When Nethunter boots up it looks like any other Android phone, other than the epic Kali booting screen that is. Kali Nethunter installs multiple tools found in a regular Kali Linux install and presents you with a nice menu system under the “Nethunter” icon:

There are some great tools here like “HID attacks”. This allows you to turn your phone into an evil USB keyboard that actually types commands on the target system when your phone is connected. There is also the MITM Framework which allows you to do more advanced MITM attacks than we will cover today. Of course you can also run Nmap scans, start Kali Services and several other things.

Don’t forget as well, that you have many of the Kali tools installed in the file system itself, so you can open a terminal and run them just as you would on a regular Kali system.

MitM DNS Spoofing with cSploit

Along with the Kali tools, Nethunter also installs several additional tools that are very helpful to a penetration tester including cSploit. cSploit is probably the fastest way on the phone to scan a connected network and perform basic attacks, including MitM.

Just tap the cSploit icon to start the application. It will immediately perform an extremely quick scan of all systems connected to the network. You will then be shown a list of all the network devices along with their name, MAC & IP addresses along with how many ports were detected on each device.

Clicking an individual target will give you a list of scans and attacks that can be run against the target:

Trace and port scanner are self-explanatory. Service inspector runs an indepth scan with service detection. Once this is done, you can then click the “Exploit Finder” button to try to find exploit for any vulnerabilities found during the Service inspection.

Let’s take a look at the MITM attacks:

We can use the DNS spoofing button to redirect the target system to a system we control. Once you click the “DNS Spoofing” button you will be presented with an Ettercap config screen. Simply set the Domain name you want to the IP address that you want it to actually point to.

For example, if we want the target to go to our separate Kali Linux system that we have, we would just put in its IP address. As “microsoft.com” is already added in the config file as an example, we just need to modify the IP address. So if our Kali Linux system was running at 192.168.1.39 then we would modify the Ettercap config screen to look something like this:

When Finished:

Just click, “SAVE”

And then click, “START”

And that is it. cSploit will start the MITM attack and set the Microsoft DNS entry on that target system to point to our Kali Linux box.

On the Kali Linux system, start the Social Engineering Toolkit, and then step through the web attack menu having it clone the Microsoft website.

And then when the target system opens their internet browser and types in “microsoft.com”, they will indeed see this:

But they will actually be connected to the Kali Linux system and be shown the cloned Microsoft website from the Social Engineering Toolkit.

If they click on any links they will get errors as SET does not clone the entire website. But the gist here is that we used our phone to redirect a user to a third system that could be hypothetically anywhere running a program that, when set up properly, could grab any text or credentials entered.

Conclusion

DNS spoofing will not work on all websites, and MitM attacks do not work at every location. But this could work out very well for a penetration tester in some circumstances. They could set up a cloned copy of a website (maybe the target system’s corporate website) on an offsite computer. Then just take their phone into the building, connecting to an open network port or the corporate Wi-Fi, and re-direct individual systems to the outside box for the win.

The best defense against Man-in-the-Middle attacks are to protect your physical network. Use complex passwords for your Wireless networks, disable or protect open & unused network ports, and segment your network when possible. DNS attacks will usually not work against websites using SSL (HTTPS), also they do not work well against websites that are hosted on a server that hosts multiple websites.